More apps exploiting Android “Master Key” bug found

Patches for the two recentlydiscovered Android “Master Key” bugs are still to be pushed out by many mobile carriers and device manufacturers.

In the meantime, malware developers have seized the opportunity and are making available for download seemingly legitimate and innocuous apps that have been modified to perform malicious actions.

“Master Key” bugs allow attackers to modify the code of any app without breaking its cryptographic signature, and thusly allows them to stealthily plant malicious apps on legitimate app stores and users’ phones.

Spotted and analyzed by Sophos researchers, the latest batch of these apps were designed to collect data regarding installed applications, SMS messages, and the IMSI number of the SIM card, as well as to send text messages to a list of numbers in China.

They are also able to connect to a server located on apkshopping.com, a domain that currently does not lead anywhere.

The thing that it’s interesting to note is that the app creators tried to take advantage of a “Master Key” bug, but were obviously not experienced enough to do it well.

According to researcher Paul Ducklin, in two of the apps they modified the original files but haven’t re-signed the files correctly and have invalidated the APK (Android aplication package file). With the third one – an add-on pack called Fashion for a picture-based messaging app called Lexin – they succeeded.

The researchers haven’t mentioned where they have found the aforementioned apps, but given that they are designed to send messages to a Chinese number, a good bet is that they were being offed for download on Chinese third-party online app markets.

In order to prevent getting infected, Ducklin advises using a mobile AV solution and downloading apps only from Google Play Store.

But, if you are tired of waiting for the patch for the flaws, you might consider using ReKey, a mobile app that takes the upstream patch from Google and deploys it in a safe and non-destructive manner on your device.